Password Spraying in Active Directory

Password spraying is an attack where one or few passwords are used to access many accounts. Thanks to this, the attack is resistant to limiting the number of unsuccessful logins. Particularly vulnerable to such attacks are large organizations. Due to a large number of users, the probability of finding accounts with simple passwords is higher.

The password spraying attack is more difficult to detect than brute-force. Due to the fact that there are few login attempts per account, the limit of login attempts will not prevent this kind of attacks. Password spraying can be detected based on entries in the Windows Event Log on domain controllers:

· 4771 — Kerberos pre-authentication failed

· 4776 — The domain controller attempted to validate the credentials

By default, domain controllers don’t log these events. You can use Group Policy to enable it:

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon

· Audit Kerberos Authentication Service: Failure

· Audit Credential Validation: Failure

In practice, in case of domains with a large number of users, it may turn out that the number of events will be so large that manual log analysis will be ineffective. In this situation, you can use SIEM (Security Information and Event Management) or an appropriately configured IDS system (Intrusion Detection System).

If you check logs directly on domain controllers, keep in mind to check all domain controllers, because logs are not replicating. Filtering and searching logs, especially on multiple domain controllers, will be much faster with PowerShell than Event Viewer.

You can use Get-Event cmdlet to read logs from all domain controllers at the same time, e.g.:
Get-EventLog -LogName Security -ComputerName (Get-ADDomainController -Filter *).HostName -InstanceID 4771

You may perform further analysis of this cmdlet’s results, using Where-Object and Group-Object.

You should look for many login attempts to different accounts in short period of time, especially from one machine.

One way to limit the effectiveness of password spraying attacks is to enforce complex passwords. Unfortunately, this does not solve the problem entirely. For example, if an ACME Corporation employee has set an ACMECorporation2020! password to his/her account, the password will meet the complexity requirements, but it should still be considered as weak, as it contains the company name, year and one special character. Unfortunately, Active Directory on-premise does not allow you to filter passwords based on a defined list. Without using external solutions, the problem can only be reduced. To do this, use the Maximum password age and Enforce password history policies. The employee will still be able to set the password ACMECorporation2020!, but only once. With the next change of password, s/he will have to set a different one.

Password policy should be implemented in Default Domain Policy. The password policy recommended by Microsoft in Microsoft Security Compliance Toolkit is shown below:

https://www.microsoft.com/en-us/download/details.aspx?id=55319

Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies/Password Policy

Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies/Account Lockout Policy

Minimum password length in these recommendations is quite long, and may be difficult to remember. That’s why administrators should build awareness among users about risks related to passwords.

Moreover, it is worth considering the limitation of logging in the accounts on which critical services operate, only to selected machines. Where possible you can also use Managed Service Accounts.

Services available from the Internet, like Outlook on the web should have implemented multi-factor authentication. However, for increased security, you may consider implementation of the multi-factor authentication also inside the company network.